feat: add fully configurable regional bucket DA (#906)

Author: Aditya-ranjan-16

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-05-23T10:42:30Z",
+  "generated_at": "2025-06-23T06:45:07Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -138,7 +138,7 @@
         "hashed_secret": "3e4bdbe0b80e63c22b178576e906810777387b50",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 225,
+        "line_number": 269,
         "type": "Secret Keyword",
         "verified_result": null
       }

ibm_catalog.json

@@ -0,0 +1,68 @@
+# Configuring complex inputs for COS - Regional bucket (Fully configurable) in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [COS - Secure Regional bucket deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`cos_bucket_cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="cos_bucket_cbr_rules"></a>
+
+The `cos_bucket_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `cos_bucket_cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for cos_bucket_cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value` (required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `tags` (optional): (List) Resource Tags .
+       - `name` (required): The Tag name.
+       - `value` (required): The Tag value.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+  {
+  description = "COS can be accessed from xyz"
+  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  rule_contexts= [{
+      attributes = [
+                {
+                              "name" : "endpointType",
+                              "value" : "private"
+                },
+                {
+                  name  = "networkZoneId"
+                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                }
+        ]
+     }
+   ]
+  enforcement_mode = "enabled"
+  resources = [{
+    tags {
+              name     = "tag_name"
+              value    = "tag_value"
+        }
+  }]
+  operations = [{
+    api_types = [{
+     api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+```

reference-architectures/regional-bucket.svg

@@ -0,0 +1,3 @@
+# Cloud automation for Regional Bucket (Fully configurable)
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

solutions/regional-bucket/fully-configurable/DA-cbr_rules.md

@@ -0,0 +1,9 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "prefix": $PREFIX,
+  "bucket_name": "test",
+  "region": "us-south",
+  "kms_encryption_enabled": true,
+  "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN,
+  "existing_cos_instance_crn": $COS_INSTANCE_CRN
+}

solutions/regional-bucket/fully-configurable/README.md

@@ -0,0 +1,192 @@
+##############################################################################
+# Secure Regional Bucket
+##############################################################################
+locals {
+  prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
+}
+
+locals {
+
+  bucket_config = [{
+    access_tags                   = var.bucket_access_tags
+    bucket_name                   = "${local.prefix}${var.bucket_name}"
+    kms_encryption_enabled        = var.kms_encryption_enabled
+    add_bucket_name_suffix        = var.add_bucket_name_suffix
+    kms_guid                      = local.existing_kms_instance_guid
+    kms_key_crn                   = local.kms_key_crn
+    skip_iam_authorization_policy = local.create_cross_account_auth_policy || var.skip_cos_kms_iam_auth_policy
+    management_endpoint_type      = var.management_endpoint_type_for_bucket
+    region_location               = var.region
+    resource_instance_id          = var.existing_cos_instance_crn
+    storage_class                 = var.bucket_storage_class
+    force_delete                  = var.force_delete
+    hard_quota                    = var.bucket_hard_quota
+    expire_filter_prefix          = var.expire_filter_prefix
+    archive_filter_prefix         = var.archive_filter_prefix
+    object_locking_enabled        = var.enable_object_locking
+    object_lock_duration_days     = var.object_lock_duration_days
+    object_lock_duration_years    = var.object_lock_duration_years
+
+    activity_tracking = {
+      read_data_events  = true
+      write_data_events = true
+    }
+    archive_rule = var.archive_days != null ? {
+      enable = true
+      days   = var.archive_days
+      type   = var.archive_type
+    } : null
+    expire_rule = var.expire_days != null ? {
+      enable = true
+      days   = var.expire_days
+    } : null
+    metrics_monitoring = {
+      usage_metrics_enabled   = true
+      request_metrics_enabled = true
+      management_events       = true
+      metrics_monitoring_crn  = var.monitoring_crn
+    }
+    object_versioning = {
+      enable = var.enable_object_versioning
+    }
+    retention_rule = var.enable_retention ? {
+      default   = var.default_retention_days
+      maximum   = var.maximum_retention_days
+      minimum   = var.minimum_retention_days
+      permanent = var.enable_permanent_retention
+    } : null
+    cos_bucket_cbr_rules = var.cos_bucket_cbr_rules
+  }]
+}
+#######################################################################################################################
+# Parse COS
+#######################################################################################################################
+
+module "cos_instance_crn_parser" {
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = var.existing_cos_instance_crn
+}
+
+locals {
+  cos_instance_guid = module.cos_instance_crn_parser.service_instance
+}
+#######################################################################################################################
+# KMS Key
+#######################################################################################################################
+
+locals {
+  existing_kms_instance_guid       = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_instance : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : null : null
+  kms_region                       = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].region : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].region : null : null
+  kms_service_name                 = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null : null
+  kms_account_id                   = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].account_id : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : null : null
+  kms_key_crn                      = var.kms_encryption_enabled ? var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", var.cos_key_ring_name, var.cos_key_name)].crn : null
+  kms_key_id                       = var.kms_encryption_enabled ? var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms[0].keys[format("%s.%s", var.cos_key_ring_name, var.cos_key_name)].key_id : null
+  create_cross_account_auth_policy = !var.skip_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key != null
+}
+########################################################################################################################
+# Parse KMS info from given CRNs
+########################################################################################################################
+
+module "kms_instance_crn_parser" {
+  count   = var.existing_kms_instance_crn != null ? 1 : 0
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = var.existing_kms_instance_crn
+}
+
+module "kms_key_crn_parser" {
+  count   = var.existing_kms_key_crn != null ? 1 : 0
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = var.existing_kms_key_crn
+}
+
+# Create IAM Authorization Policy to allow COS to access KMS for the encryption key
+resource "ibm_iam_authorization_policy" "cos_kms_policy" {
+  count                       = local.create_cross_account_auth_policy ? 1 : 0
+  provider                    = ibm.kms
+  source_service_account      = module.cos_instance_crn_parser.account_id
+  source_service_name         = "cloud-object-storage"
+  source_resource_instance_id = local.cos_instance_guid
+  roles                       = ["Reader"]
+  description                 = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance ${local.existing_kms_instance_guid}"
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = local.kms_service_name
+  }
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = local.kms_account_id
+  }
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = local.existing_kms_instance_guid
+  }
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "key"
+  }
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = local.kms_key_id
+  }
+  # Scope of policy now includes the key, so ensure to create new policy before
+  # destroying old one to prevent any disruption to every day services.
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "time_sleep" "wait_for_authorization_policy" {
+  depends_on      = [ibm_iam_authorization_policy.cos_kms_policy]
+  create_duration = "30s"
+}
+
+# KMS root key for COS bucket
+module "kms" {
+  providers = {
+    ibm = ibm.kms
+  }
+  count                       = var.kms_encryption_enabled && var.existing_kms_key_crn != null ? 0 : 1 # no need to create any KMS resources if passing an existing key.
+  source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
+  version                     = "5.1.7"
+  create_key_protect_instance = false
+  region                      = local.kms_region
+  existing_kms_instance_crn   = var.existing_kms_instance_crn
+  key_ring_endpoint_type      = var.kms_endpoint_type
+  key_endpoint_type           = var.kms_endpoint_type
+  keys = [
+    {
+      key_ring_name     = var.cos_key_ring_name
+      existing_key_ring = false
+      keys = [
+        {
+          key_name                 = var.cos_key_name
+          standard_key             = false
+          rotation_interval_month  = 3
+          dual_auth_delete_enabled = false
+          force_delete             = true
+        }
+      ]
+    }
+  ]
+}
+
+#######################################################################################################################
+# COS Bucket
+#######################################################################################################################
+
+module "cos" {
+  providers = {
+    ibm = ibm.cos
+  }
+  depends_on     = [time_sleep.wait_for_authorization_policy]
+  source         = "../../../modules/buckets"
+  bucket_configs = local.bucket_config
+}

solutions/regional-bucket/fully-configurable/catalogValidationValues.json.template

@@ -0,0 +1,32 @@
+##############################################################################
+# Outputs
+##############################################################################
+output "buckets" {
+  description = "The list of buckets created by this DA."
+  value       = module.cos.buckets
+}
+
+output "s3_endpoint_direct" {
+  description = "The s3 direct endpoint of the created bucket."
+  value       = try(module.cos.buckets[var.bucket_name].s3_endpoint_direct, null)
+}
+
+output "s3_endpoint_private" {
+  description = "The s3 private endpoint of the created bucket."
+  value       = try(module.cos.buckets[var.bucket_name].s3_endpoint_private, null)
+}
+
+output "bucket_name" {
+  description = "The name of the bucket that was created. Includes the optional suffix if enabled."
+  value       = try(module.cos.buckets[var.bucket_name].bucket_name, null)
+}
+
+output "cos_instance_crn" {
+  description = "The CRN of the COS instance containing the created bucket."
+  value       = var.existing_cos_instance_crn
+}
+
+output "cos_instance_guid" {
+  description = "The guid of the COS instance containing the created bucket."
+  value       = local.cos_instance_guid
+}

solutions/regional-bucket/fully-configurable/main.tf

@@ -0,0 +1,14 @@
+provider "ibm" {
+  alias                 = "cos"
+  ibmcloud_api_key      = var.ibmcloud_api_key
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null
+}
+
+provider "ibm" {
+  alias                 = "kms"
+  ibmcloud_api_key      = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
+  region                = local.kms_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null
+}